US20230056018A1 - Anamoly detection system for peripheral component interconnect express - Google Patents
Anamoly detection system for peripheral component interconnect express Download PDFInfo
- Publication number
- US20230056018A1 US20230056018A1 US17/408,942 US202117408942A US2023056018A1 US 20230056018 A1 US20230056018 A1 US 20230056018A1 US 202117408942 A US202117408942 A US 202117408942A US 2023056018 A1 US2023056018 A1 US 2023056018A1
- Authority
- US
- United States
- Prior art keywords
- trigger
- event
- controller
- traffic anomaly
- event counter
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000002093 peripheral effect Effects 0.000 title claims abstract description 10
- 238000001514 detection method Methods 0.000 title 1
- 238000000034 method Methods 0.000 claims description 14
- 238000001914 filtration Methods 0.000 claims description 2
- 230000000977 initiatory effect Effects 0.000 claims description 2
- 238000010586 diagram Methods 0.000 description 4
- 230000007246 mechanism Effects 0.000 description 2
- 230000006978 adaptation Effects 0.000 description 1
- 230000000903 blocking effect Effects 0.000 description 1
- 238000011156 evaluation Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F13/00—Interconnection of, or transfer of information or other signals between, memories, input/output devices or central processing units
- G06F13/38—Information transfer, e.g. on bus
- G06F13/42—Bus transfer protocol, e.g. handshake; Synchronisation
- G06F13/4204—Bus transfer protocol, e.g. handshake; Synchronisation on a parallel bus
- G06F13/4221—Bus transfer protocol, e.g. handshake; Synchronisation on a parallel bus being an input/output bus, e.g. ISA bus, EISA bus, PCI bus, SCSI bus
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/166—Implementing security features at a particular protocol layer at the transport layer
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2213/00—Indexing scheme relating to interconnection of, or transfer of information or other signals between, memories, input/output devices or central processing units
- G06F2213/0026—PCI express
Definitions
- PCIe Peripheral Component Interconnect express
- PCIe Peripheral Component Interconnect express
- many devices may be connected to a host (root complex) via a switch.
- the security of PCIe topology becomes a concern as many devices from different vendors, along with independent applications using PCIe, are integrated into a single system. In such integrated systems it is important to provide security between connected devices and software applications using these devices.
- FIG. 1 illustrates a schematic diagram of an example automotive Electronic Control Unit (ECU) in which aspects of the disclosure may be applied.
- ECU Electronic Control Unit
- FIG. 2 illustrates a schematic diagram of a traffic anomaly detector of a Peripheral Component Interconnect express (PCIe) controller in accordance with aspects of the disclosure.
- PCIe Peripheral Component Interconnect express
- FIG. 3 illustrates an example of a memory write Transaction Layer Packet (TLP).
- TLP Transaction Layer Packet
- FIG. 4 illustrates a flowchart of a method of detecting a traffic anomaly in a PCIe network in accordance with aspects of the disclosure.
- the present disclosure is directed to detecting traffic properties and creating corresponding metadata for evaluation by software. Thereafter, a host may respond in order maintain Peripheral Component Interconnect express (PCIe) network security.
- PCIe Peripheral Component Interconnect express
- FIG. 1 illustrates a schematic diagram of an example automotive Electronic Control Unit (ECU) 100 in which aspects of the disclosure may be applied.
- ECU Electronic Control Unit
- the ECU 100 includes two microcontrollers 110 , 120 coupled together via printed circuit board (PCB) traces 130 .
- Each microcontroller 110 , 120 includes a microcontroller core 112 , 122 , Ethernet media access controllers (MACs) 112 , 124 , other interfaces 114 . 3 , 124 . 3 , and PCIe controllers 116 , 126 .
- Each of the PCIe controllers 116 , 126 includes a physical layer (PHY) coupled to the PCB traces 130 .
- Ethernet MACs 112 , 124 and PCIe controllers 116 , 126 differ in that Ethernet MACs provide streams to its data whereas PCIe controllers 116 , 126 access internal resources directly. It is therefore important that PCIe controllers 116 , 126 continuously monitor traffic to protect against cyberattacks, a feature missing from the PCIe specification.
- FIG. 2 illustrates a schematic diagram of a traffic anomaly detector 200 of a Peripheral Component Interconnect express (PCIe) controller in accordance with aspects of the disclosure.
- PCIe Peripheral Component Interconnect express
- the traffic anomaly detector 200 comprises one or more filters 210 , a classifier 220 , one or more event counters 230 , a push controller 240 , one or more read counters 250 , a reset controller 260 , and a trigger controller 270 .
- TLPs Inbound transaction layer packets
- PCIe controller 116 , 126 which is shown in FIG. 1 .
- the TLPs are monitored by the one or more filters 210 implemented to count TLPs that fulfill predefined filter criteria.
- the filters 210 are configured to apply the respective filter criterion to fields within the TLP headers. At least one of the filters 210 may be configured to filter a type field or a format field such that only memory TLPs result in a trigger.
- the respective filter criterion may be selected from the group of fields consisting of type, address, length, and format. For example, a memory write packet (Fmt field) with (i.e., logical AND) an address range from 0x0 to 0xFFFF (Address field).
- the filters 210 may filter TLPs with a specific requester (i.e., requester ID).
- the classifier 220 is configured to trigger an event based on one of the filter criterion or a logical combination of a plurality of the filter criteria. For example, a filter 210 may count the inbound TLPs that are memory write TLPs and with addresses from 0x0000_0000 to 0x0000_FFFF. One filter 210 may check the format (Fmt) and the type fields. Another filter 210 may check the address field. Only when both filter criteria are fulfilled, the connected event counter 230 is incremented. The event counters 230 are configured to count a number of the events.
- a processor is configured to detect, based on a value of the event counter 230 , an anomaly in the PCIe TLP traffic. If a traffic anomaly is detected, the processor may be further configured to initiate a countermeasure.
- the trigger controller 270 is configured to read the values of the event counters 230 .
- the trigger controller 270 may notify a monitor when the value of one or more of the event counters 230 exceeds a respective threshold TH.
- the trigger controller 270 comprises a timer 272 , and is further configured to notify a monitor of the value of the event counter periodically.
- the trigger controller 270 is optionally configured to trigger the push controller 240 to push values of the plurality of event counters 230 from the plurality of event counters 230 to the respective plurality of read counters 250 simultaneously so that the read counters 250 store a snapshot of all event counters 230 .
- the trigger controller 270 may be configured to trigger the push controller 240 to push values from the one or more event counters 230 to the respective of read counters 250 selectively. This push mechanism allows values to be saved in the read counters 250 while the event counters 230 continue to monitor the inbound TLPs.
- Application software can read the values from the read counters 250 while the event counters 230 continue counting.
- This push triggering may be based on time, software control, and/or when the value of the event counters 230 exceeds respective thresholds TH.
- the push may be activated when there are more than 1,000 memory write TLPs with addresses ranging from 0x0000 0000 to 0x0000_FFFF.
- the trigger controller 270 is further configured to trigger the reset controller 260 to reset the event counters 230 .
- the trigger of the reset is similar to that of the push. These resets may occur simultaneously, or alternatively, selectively.
- the trigger controller 270 may be configured to trigger the reset controller 260 to reset the event counters 230 based on time, software control, or if the value of the event counter exceeds a threshold TH. It is possible to use the same criteria as used to push the values to the read counters 250 to reset the event counters 230 .
- the push and reset action criteria are generally defined by software running on the microcontroller 110 , 120 . The triggering of the push and reset actions is performed by hardware.
- FIG. 3 illustrates an example of a memory write TLP 300 .
- the header is comprised of three 32-bit words 0 - 2 . Each word has four bytes (8 bits).
- the first three words 0 - 2 include the header fields, and the fourth word 3 includes the data.
- the header may include fields such as format, TLP packet type, traffic class information, attributes, TLP digest, end point, data length, request identification, tag, and the like. The disclosure is not necessarily limited by the particular header fields.
- FIG. 4 illustrates a flowchart 400 of a method of detecting a traffic anomaly in a PCIe network in accordance with aspects of the disclosure.
- filters 210 filter headers of PCIe TLPs based on respective filter criterion.
- a classifier 220 triggers an event based on one of the filter criterion or a logical combination of a plurality of the filter criteria.
- an event counter 230 counts a number of the events triggered by the classifier 220 .
- a processor detects, based on a value of the event counter 230 , an anomaly in the PCIe TLP traffic. Based on the detected traffic anomaly, the processor may initiate a countermeasure. This countermeasure may include blocking some TLPs.
- a traffic anomaly detector of a Peripheral Component Interconnect express (PCIe) system comprising: filters configured to filter headers of PCIe transaction layer packets (TLPs) based on respective filter criterion; a classifier configured to trigger an event based on one of the filter criterion or a logical combination of a plurality of the filter criteria; an event counter configured to count a number of the events; and a processor configured to detect, based on a value of the event counter, an anomaly in the PCIe TLP traffic.
- PCIe Peripheral Component Interconnect express
- Example 2 The traffic anomaly detector of Example 1, further comprising: a read counter; a push controller; and a trigger controller configured to trigger the push controller to push the value of the event counter from the event counter to the read counter.
- Example 3 The traffic anomaly detector of Example 2, wherein the trigger controller is configured to trigger the push controller to push the value of the event counter from the event counter to the read counter based on time, software control, and/or when the value of the event counter exceeds a threshold.
- Example 4 The traffic anomaly detector of Example 1, wherein the classifier is configured to trigger the event based a logical combination the plurality of filter criteria.
- Example 5 The traffic anomaly detector of Example 1, wherein the classifier is configured to trigger a plurality of events, each of the events based on one of the filter criterion or a logical combination of a plurality of the filter criteria.
- Example 6 The traffic anomaly detector of Example 5, further comprising: a plurality of event counters corresponding with the plurality of events; a plurality of read counters corresponding with the respective plurality of event counters; and a trigger controller configured to trigger a push controller to push values of the plurality of event counters from the plurality of event counters to the respective plurality of read counters simultaneously.
- Example 7 The traffic anomaly detector of Example 1, further comprising: a trigger controller configured to read the value of the event counter.
- Example 8 The traffic anomaly detector of Example 7, wherein the trigger controller is further configured to notify a monitor when the value of the event counter exceeds a threshold.
- Example 9 The traffic anomaly detector of Example 7, wherein the trigger controller is further configured to trigger a reset controller to reset the event counter.
- Example 10 The traffic anomaly detector of Example 8, wherein the trigger controller is further configured to trigger the reset controller to reset the event counter based on time, software control, or if the value of the event counter exceeds a threshold.
- Example 11 The traffic anomaly detector of Example 7, wherein the trigger controller comprises a timer, and the trigger controller is further configured to notify a monitor of the value of the event counter periodically.
- Example 12 The traffic anomaly detector of Example 1, wherein one of the filters is configured to filter a type field or a format field such that only memory TLPs result in a trigger.
- Example 13 The traffic anomaly detector of Example 1, wherein the respective filter criterion are selected from the group of fields consisting of type, address, length, and format.
- Example 14 The traffic anomaly detector of claim 1 , wherein if a traffic anomaly is detected, the processor is further configured to initiate a countermeasure.
- Example 15 A PCIe controller, comprising: the traffic anomaly detector of Example 1.
- Example 16 A method of detecting a traffic anomaly in a Peripheral Component Interconnect express (PCIe) system, comprising: filtering, by filters, headers of PCIe transaction layer packets (TLPs) based on respective filter criterion; triggering, by a classifier, an event based on one of the filter criterion or a logical combination of a plurality of the filter criteria; counting, by an event counter, a number of the events; and detecting, by a processor based on a value of the event counter, an anomaly in the PCIe TLP traffic.
- PCIe Peripheral Component Interconnect express
- Example 17 The method of Example 16, triggering, by the classifier, the event based a logical combination the plurality of filter criteria.
- Example 18 The method of Example 16, further comprising: periodically notifying, by the trigger controller, a monitor of the value of the event counter.
- Example 19 The method of Example 16, further comprising: reading, by a trigger controller, the value of the event counter; and notifying a monitor if the value of the event counter exceeds a threshold.
- Example 20 The method of Example 16, further comprising: initiating, by the processor, a countermeasure if a traffic anomaly is detected.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
A traffic anomaly detector of a Peripheral Component Interconnect express (PCIe) system, including filters configured to filter headers of PCIe transaction layer packets (TLPs) based on respective filter criterion; a classifier configured to trigger an event based on one of the filter criterion or a logical combination of a plurality of the filter criteria; an event counter configured to count a number of the events; and a processor configured to detect, based on a value of the event counter, an anomaly in the PCIe TLP traffic.
Description
- Peripheral Component Interconnect express (PCIe) is a high-speed serial interface standard applied in personal computers, servers, and mobile devices. In a PCIe topology, many devices (endpoints) may be connected to a host (root complex) via a switch. The security of PCIe topology becomes a concern as many devices from different vendors, along with independent applications using PCIe, are integrated into a single system. In such integrated systems it is important to provide security between connected devices and software applications using these devices.
- Attack methods vary among systems, requiring corresponding mechanisms to counter or avoid attacks. One approach is to continuously monitor traffic patterns and generate statistical information for assessing a current health of the PCIe network. Data rates of PCIe network are high, and thus software-only solutions may not meet performance and latency requirements.
-
FIG. 1 illustrates a schematic diagram of an example automotive Electronic Control Unit (ECU) in which aspects of the disclosure may be applied. -
FIG. 2 illustrates a schematic diagram of a traffic anomaly detector of a Peripheral Component Interconnect express (PCIe) controller in accordance with aspects of the disclosure. -
FIG. 3 illustrates an example of a memory write Transaction Layer Packet (TLP). -
FIG. 4 illustrates a flowchart of a method of detecting a traffic anomaly in a PCIe network in accordance with aspects of the disclosure. - The present disclosure is directed to detecting traffic properties and creating corresponding metadata for evaluation by software. Thereafter, a host may respond in order maintain Peripheral Component Interconnect express (PCIe) network security.
-
FIG. 1 illustrates a schematic diagram of an example automotive Electronic Control Unit (ECU) 100 in which aspects of the disclosure may be applied. - The ECU 100 includes two
microcontrollers microcontroller microcontroller core PCB traces 130. EthernetMACs 112, 124 and PCIe controllers 116, 126 differ in that Ethernet MACs provide streams to its data whereas PCIe controllers 116, 126 access internal resources directly. It is therefore important that PCIe controllers 116, 126 continuously monitor traffic to protect against cyberattacks, a feature missing from the PCIe specification. -
FIG. 2 illustrates a schematic diagram of atraffic anomaly detector 200 of a Peripheral Component Interconnect express (PCIe) controller in accordance with aspects of the disclosure. - The
traffic anomaly detector 200 comprises one or more filters 210, aclassifier 220, one or more event counters 230, apush controller 240, one or more read counters 250, areset controller 260, and atrigger controller 270. - Inbound transaction layer packets (TLPs) are processed by the PCIe controller 116, 126, which is shown in
FIG. 1 . In parallel, the TLPs are monitored by the one or more filters 210 implemented to count TLPs that fulfill predefined filter criteria. - The filters 210 are configured to apply the respective filter criterion to fields within the TLP headers. At least one of the filters 210 may be configured to filter a type field or a format field such that only memory TLPs result in a trigger. The respective filter criterion may be selected from the group of fields consisting of type, address, length, and format. For example, a memory write packet (Fmt field) with (i.e., logical AND) an address range from 0x0 to 0xFFFF (Address field). Alternatively, the filters 210 may filter TLPs with a specific requester (i.e., requester ID). There may also be a filter 210 that checks a time interval between two inbound TLPs against a pre-defined limit to detect any loss of TLPs, or alternatively, or an undesirable increase.
- The
classifier 220 is configured to trigger an event based on one of the filter criterion or a logical combination of a plurality of the filter criteria. For example, a filter 210 may count the inbound TLPs that are memory write TLPs and with addresses from 0x0000_0000 to 0x0000_FFFF. One filter 210 may check the format (Fmt) and the type fields. Another filter 210 may check the address field. Only when both filter criteria are fulfilled, the connected event counter 230 is incremented. The event counters 230 are configured to count a number of the events. - A processor is configured to detect, based on a value of the event counter 230, an anomaly in the PCIe TLP traffic. If a traffic anomaly is detected, the processor may be further configured to initiate a countermeasure.
- The
trigger controller 270 is configured to read the values of the event counters 230. Thetrigger controller 270 may notify a monitor when the value of one or more of the event counters 230 exceeds a respective threshold TH. Thetrigger controller 270 comprises atimer 272, and is further configured to notify a monitor of the value of the event counter periodically. - The
trigger controller 270 is optionally configured to trigger thepush controller 240 to push values of the plurality of event counters 230 from the plurality of event counters 230 to the respective plurality of read counters 250 simultaneously so that the read counters 250 store a snapshot of all event counters 230. Alternatively, thetrigger controller 270 may be configured to trigger thepush controller 240 to push values from the one or more event counters 230 to the respective of read counters 250 selectively. This push mechanism allows values to be saved in the read counters 250 while the event counters 230 continue to monitor the inbound TLPs. Application software can read the values from the read counters 250 while the event counters 230 continue counting. This push triggering may be based on time, software control, and/or when the value of the event counters 230 exceeds respective thresholds TH. For example, the push may be activated when there are more than 1,000 memory write TLPs with addresses ranging from 0x0000 0000 to 0x0000_FFFF. - The
trigger controller 270 is further configured to trigger thereset controller 260 to reset the event counters 230. The trigger of the reset is similar to that of the push. These resets may occur simultaneously, or alternatively, selectively. Thetrigger controller 270 may be configured to trigger thereset controller 260 to reset the event counters 230 based on time, software control, or if the value of the event counter exceeds a threshold TH. It is possible to use the same criteria as used to push the values to the read counters 250 to reset the event counters 230. The push and reset action criteria are generally defined by software running on themicrocontroller -
FIG. 3 illustrates an example of a memory write TLP 300. The header is comprised of three 32-bit words 0-2. Each word has four bytes (8 bits). The first three words 0-2 include the header fields, and thefourth word 3 includes the data. The header may include fields such as format, TLP packet type, traffic class information, attributes, TLP digest, end point, data length, request identification, tag, and the like. The disclosure is not necessarily limited by the particular header fields. -
FIG. 4 illustrates aflowchart 400 of a method of detecting a traffic anomaly in a PCIe network in accordance with aspects of the disclosure. - At
Step 410, filters 210 filter headers of PCIe TLPs based on respective filter criterion. - At
Step 420, aclassifier 220 triggers an event based on one of the filter criterion or a logical combination of a plurality of the filter criteria. - At
Step 430, an event counter 230 counts a number of the events triggered by theclassifier 220. - At
Step 440, a processor detects, based on a value of the event counter 230, an anomaly in the PCIe TLP traffic. Based on the detected traffic anomaly, the processor may initiate a countermeasure. This countermeasure may include blocking some TLPs. - The techniques of this disclosure may also be described in the following examples.
- Example 1. A traffic anomaly detector of a Peripheral Component Interconnect express (PCIe) system, comprising: filters configured to filter headers of PCIe transaction layer packets (TLPs) based on respective filter criterion; a classifier configured to trigger an event based on one of the filter criterion or a logical combination of a plurality of the filter criteria; an event counter configured to count a number of the events; and a processor configured to detect, based on a value of the event counter, an anomaly in the PCIe TLP traffic.
- Example 2. The traffic anomaly detector of Example 1, further comprising: a read counter; a push controller; and a trigger controller configured to trigger the push controller to push the value of the event counter from the event counter to the read counter.
- Example 3. The traffic anomaly detector of Example 2, wherein the trigger controller is configured to trigger the push controller to push the value of the event counter from the event counter to the read counter based on time, software control, and/or when the value of the event counter exceeds a threshold.
- Example 4. The traffic anomaly detector of Example 1, wherein the classifier is configured to trigger the event based a logical combination the plurality of filter criteria.
- Example 5. The traffic anomaly detector of Example 1, wherein the classifier is configured to trigger a plurality of events, each of the events based on one of the filter criterion or a logical combination of a plurality of the filter criteria.
- Example 6. The traffic anomaly detector of Example 5, further comprising: a plurality of event counters corresponding with the plurality of events; a plurality of read counters corresponding with the respective plurality of event counters; and a trigger controller configured to trigger a push controller to push values of the plurality of event counters from the plurality of event counters to the respective plurality of read counters simultaneously.
- Example 7. The traffic anomaly detector of Example 1, further comprising: a trigger controller configured to read the value of the event counter.
- Example 8. The traffic anomaly detector of Example 7, wherein the trigger controller is further configured to notify a monitor when the value of the event counter exceeds a threshold.
- Example 9. The traffic anomaly detector of Example 7, wherein the trigger controller is further configured to trigger a reset controller to reset the event counter.
- Example 10. The traffic anomaly detector of Example 8, wherein the trigger controller is further configured to trigger the reset controller to reset the event counter based on time, software control, or if the value of the event counter exceeds a threshold.
- Example 11. The traffic anomaly detector of Example 7, wherein the trigger controller comprises a timer, and the trigger controller is further configured to notify a monitor of the value of the event counter periodically.
- Example 12. The traffic anomaly detector of Example 1, wherein one of the filters is configured to filter a type field or a format field such that only memory TLPs result in a trigger.
- Example 13. The traffic anomaly detector of Example 1, wherein the respective filter criterion are selected from the group of fields consisting of type, address, length, and format.
- Example 14. The traffic anomaly detector of
claim 1, wherein if a traffic anomaly is detected, the processor is further configured to initiate a countermeasure. - Example 15. A PCIe controller, comprising: the traffic anomaly detector of Example 1.
- Example 16. A method of detecting a traffic anomaly in a Peripheral Component Interconnect express (PCIe) system, comprising: filtering, by filters, headers of PCIe transaction layer packets (TLPs) based on respective filter criterion; triggering, by a classifier, an event based on one of the filter criterion or a logical combination of a plurality of the filter criteria; counting, by an event counter, a number of the events; and detecting, by a processor based on a value of the event counter, an anomaly in the PCIe TLP traffic.
- Example 17. The method of Example 16, triggering, by the classifier, the event based a logical combination the plurality of filter criteria.
- Example 18. The method of Example 16, further comprising: periodically notifying, by the trigger controller, a monitor of the value of the event counter.
- Example 19. The method of Example 16, further comprising: reading, by a trigger controller, the value of the event counter; and notifying a monitor if the value of the event counter exceeds a threshold.
- Example 20. The method of Example 16, further comprising: initiating, by the processor, a countermeasure if a traffic anomaly is detected.
- While the foregoing has been described in conjunction with exemplary embodiment, it is understood that the term “exemplary” is merely meant as an example, rather than the best or optimal. Accordingly, the disclosure is intended to cover alternatives, modifications and equivalents, which may be included within the scope of the disclosure.
- Although specific embodiments have been illustrated and described herein, it will be appreciated by those of ordinary skill in the art that a variety of alternate and/or equivalent implementations may be substituted for the specific embodiments shown and described without departing from the scope of the present disclosure. This disclosure is intended to cover any adaptations or variations of the specific embodiments discussed herein.
Claims (20)
1. A traffic anomaly detector of a Peripheral Component Interconnect express (PCIe) system, comprising:
filters configured to filter headers of PCIe transaction layer packets (TLPs) based on respective filter criterion;
a classifier configured to trigger an event based on one of the filter criterion or a logical combination of a plurality of the filter criteria;
an event counter configured to count a number of the events; and
a processor configured to detect, based on a value of the event counter, an anomaly in the PCIe TLP traffic.
2. The traffic anomaly detector of claim 1 , further comprising:
a read counter;
a push controller; and
a trigger controller configured to trigger the push controller to push the value of the event counter from the event counter to the read counter.
3. The traffic anomaly detector of claim 2 , wherein the trigger controller is configured to trigger the push controller to push the value of the event counter from the event counter to the read counter based on time, software control, and/or when the value of the event counter exceeds a threshold.
4. The traffic anomaly detector of claim 1 ,
wherein the classifier is configured to trigger the event based a logical combination the plurality of filter criteria.
5. The traffic anomaly detector of claim 1 ,
wherein the classifier is configured to trigger a plurality of events, each of the events based on one of the filter criterion or a logical combination of a plurality of the filter criteria.
6. The traffic anomaly detector of claim 5 , further comprising:
a plurality of event counters corresponding with the plurality of events;
a plurality of read counters corresponding with the respective plurality of event counters; and
a trigger controller configured to trigger a push controller to push values of the plurality of event counters from the plurality of event counters to the respective plurality of read counters simultaneously.
7. The traffic anomaly detector of claim 1 , further comprising:
a trigger controller configured to read the value of the event counter.
8. The traffic anomaly detector of claim 7 , wherein the trigger controller is further configured to notify a monitor when the value of the event counter exceeds a threshold.
9. The traffic anomaly detector of claim 7 , wherein the trigger controller is further configured to trigger a reset controller to reset the event counter.
10. The traffic anomaly detector of claim 8 , wherein the trigger controller is further configured to trigger the reset controller to reset the event counter based on time, software control, or if the value of the event counter exceeds a threshold.
11. The traffic anomaly detector of claim 7 , wherein the trigger controller comprises a timer, and the trigger controller is further configured to notify a monitor of the value of the event counter periodically.
12. The traffic anomaly detector of claim 1 , wherein one of the filters is configured to filter a type field or a format field such that only memory TLPs result in a trigger.
13. The traffic anomaly detector of claim 1 , wherein the respective filter criterion are selected from the group of fields consisting of type, address, length, and format.
14. The traffic anomaly detector of claim 1 , wherein if a traffic anomaly is detected, the processor is further configured to initiate a countermeasure.
15. A PCIe controller, comprising:
the traffic anomaly detector of claim 1 .
16. A method of detecting a traffic anomaly in a Peripheral Component Interconnect express (PCIe) system, comprising:
filtering, by filters, headers of PCIe transaction layer packets (TLPs) based on respective filter criterion;
triggering, by a classifier, an event based on one of the filter criterion or a logical combination of a plurality of the filter criteria;
counting, by an event counter, a number of the events; and
detecting, by a processor based on a value of the event counter, an anomaly in the PCIe TLP traffic.
17. The method of claim 16 ,
triggering, by the classifier, the event based a logical combination the plurality of filter criteria.
18. The method of claim 16 , further comprising:
periodically notifying, by the trigger controller, a monitor of the value of the event counter.
19. The method of claim 16 , further comprising:
reading, by a trigger controller, the value of the event counter; and
notifying a monitor if the value of the event counter exceeds a threshold.
20. The method of claim 16 , further comprising:
initiating, by the processor, a countermeasure if a traffic anomaly is detected.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US17/408,942 US20230056018A1 (en) | 2021-08-23 | 2021-08-23 | Anamoly detection system for peripheral component interconnect express |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US17/408,942 US20230056018A1 (en) | 2021-08-23 | 2021-08-23 | Anamoly detection system for peripheral component interconnect express |
Publications (1)
Publication Number | Publication Date |
---|---|
US20230056018A1 true US20230056018A1 (en) | 2023-02-23 |
Family
ID=85229229
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US17/408,942 Pending US20230056018A1 (en) | 2021-08-23 | 2021-08-23 | Anamoly detection system for peripheral component interconnect express |
Country Status (1)
Country | Link |
---|---|
US (1) | US20230056018A1 (en) |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20070266179A1 (en) * | 2006-05-11 | 2007-11-15 | Emulex Communications Corporation | Intelligent network processor and method of using intelligent network processor |
US20090265784A1 (en) * | 2005-11-08 | 2009-10-22 | Tohoku University | Network failure detection method and network failure detection system |
US20140112131A1 (en) * | 2011-06-17 | 2014-04-24 | Hitachi, Ltd. | Switch, computer system using same, and packet forwarding control method |
US20210124692A1 (en) * | 2017-12-19 | 2021-04-29 | Western Digital Technologies, Inc. | Direct host access to storage device memory space |
-
2021
- 2021-08-23 US US17/408,942 patent/US20230056018A1/en active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20090265784A1 (en) * | 2005-11-08 | 2009-10-22 | Tohoku University | Network failure detection method and network failure detection system |
US20070266179A1 (en) * | 2006-05-11 | 2007-11-15 | Emulex Communications Corporation | Intelligent network processor and method of using intelligent network processor |
US20140112131A1 (en) * | 2011-06-17 | 2014-04-24 | Hitachi, Ltd. | Switch, computer system using same, and packet forwarding control method |
US20210124692A1 (en) * | 2017-12-19 | 2021-04-29 | Western Digital Technologies, Inc. | Direct host access to storage device memory space |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
JP4077812B2 (en) | Integrated circuit routers that support individual transmission rates | |
US7010639B2 (en) | Inter integrated circuit bus router for preventing communication to an unauthorized port | |
US7082488B2 (en) | System and method for presence detect and reset of a device coupled to an inter-integrated circuit router | |
US7543191B2 (en) | Method and apparatus for isolating bus failure | |
US11316889B2 (en) | Two-stage hash based logic for application layer distributed denial of service (DDoS) attack attribution | |
US7630304B2 (en) | Method of overflow recovery of I2C packets on an I2C router | |
JP2012521042A (en) | Web front end throttling | |
JP4294544B2 (en) | Integrated circuit bus router for improved security | |
JP3920280B2 (en) | Data transmission method through I2C router | |
WO2023160635A1 (en) | Protection apparatus and method for image data processing module, and electronic device and medium | |
KR100628317B1 (en) | Apparatus for detecting attacks toward network and method thereof | |
US20230056018A1 (en) | Anamoly detection system for peripheral component interconnect express | |
CN114189390A (en) | Domain name detection method, system, equipment and computer readable storage medium | |
US20040255193A1 (en) | Inter integrated circuit router error management system and method | |
US11496394B2 (en) | Internet of things (IoT) device identification on corporate networks via adaptive feature set to balance computational complexity and model bias | |
US11870693B2 (en) | Kernel space based capture using intelligent packet selection paradigm and event output storage determination methodology | |
CN114301644A (en) | Network anomaly detection system and method | |
US20040255195A1 (en) | System and method for analysis of inter-integrated circuit router | |
US11425094B2 (en) | Abnormal packet detection apparatus and method | |
CN113132298B (en) | Method and system for realizing network intrusion detection on automobile gateway | |
CN117527529B (en) | Ethernet data storage method and device capable of automatically recovering from normal state | |
JP2007150778A (en) | Unauthorized access detection method, device, and program | |
CN114143089A (en) | Message processing method and device, network equipment and computer readable storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: INFINEON TECHNOLOGIES AG, GERMANY Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:LI, LIN;KUMAR, VARUN;ZWECK, HARALD;SIGNING DATES FROM 20210820 TO 20210823;REEL/FRAME:057256/0965 |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: NON FINAL ACTION MAILED |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: RESPONSE TO NON-FINAL OFFICE ACTION ENTERED AND FORWARDED TO EXAMINER |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: NOTICE OF ALLOWANCE MAILED -- APPLICATION RECEIVED IN OFFICE OF PUBLICATIONS |